[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Incorporating md5-BSD-style passwd-hash in openldap

On Thu, 3 May 2001, Kurt D. Zeilenga wrote:

Kurt> At 08:04 PM 5/3/01, Paulo Matos wrote:
Kurt> >        After doing this you'll be able to authenticate on ldap, however
Kurt> >you're using crypt(3) from your system, which might not support
Kurt> >md5-BSD-style hashed passwords, and this is the main reason why openldap
Kurt> >team (correct me if I'm wrong) adopted as a future path only to support
Kurt> >openssl's hash algorithms.
Kurt> Support for crypt(3) was intended to provide a convenient
Kurt> means for migrating from /etc/password managed secrets
Kurt> to LDAP managed secrets.  Hence, the crypt(3) was intended
Kurt> to be the host crypt(3).
	My purpose was to make things more flexible. The flexibility that
I'm talking about is the ability to easily switch between ldap
authentication and /etc/passwd files.
	And the main issue is concerning the password generation. We could
even use {crypt}, but at least we could choose which type of salt
did we want. So in a system where crypt only accepts the tradicional 2
salt characteres this will work as in a system where the salt can have
from 0 to 8 salt chars. The issue could be solved by some additional

	But I can understand that is not easy to support all kind of
crypt/password-hash variants. However, as in Linux, Free BSD and a lot of
BSD-based unix's this kind of password-hash is being widely used, so it
would be IMHO a matter to reflect.

Kurt> While supporting new schemes for migration
Kurt> to LDAP makes some sense, one you have migrated to LDAP it really
Kurt> shouldn't matter (as applications should use bind to authenticate
Kurt> to the directory).  And for applications which do make use of
Kurt> userPassword values, they likely either expect the password to
Kurt> be clear text (per RFC 2256) or only recognize a limited set of
Kurt> schemes.  Crypt(3) based mechanisms are inherently host specific
Kurt> and hence should never be exposed to applications.
	I can understand your side. You're an ldap developer, so your
concerns are in give support while migrate TO ldap and not FROM ldap.

Kurt> As far as the future of userPassword schemes, I am not sure it
Kurt> makes sense to add lots of new schemes.  However, for now,
Kurt> we're still reviewing such additions on a case by case basis.
	So does the md5 BSD based crypt variant as a chance?

Kurt> I will make a couple of additional notes.  We will soon to slapd
Kurt> such that SASL password based mechanisms (PLAIN,CRAM,DIGEST,etc.)
Kurt> can use the cleartext userPassword as the authentication secret.
Kurt> Secondly, we need to migrate all hashed password to the new
Kurt> authPassword attribute type (which should be published as an
Kurt> RFC soon) [designed specifically to support hashed passwords].
	I'm looking forward to see it.

	Best regards,

	Paulo Matos
 ----------------------------------- ----------------------------------
|Sys & Net Admin                    | Serviço de Informática           |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2941346             |
|Universidade Nova de Lisboa        | Fax: +351-21-2948548             |
|P-2825-114 Caparica                | e-Mail: pjsm@fct.unl.pt          |
 ----------------------------------- ----------------------------------